Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Managing Yandex StoreDoc users

Written by
Updated at February 6, 2026

You can add and remove users, manage individual user settings, and change database access permissions.

Getting a list of users

  1. Open the folder dashboard.
  2. Navigate to the Yandex StoreDoc service.
  3. Locate the cluster you need in the list, click its name, and select the  Users tab.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To get a list of cluster users, run this command:

yc managed-mongodb user list \
  --cluster-name <cluster_name>

You can get the cluster name from the list of clusters in your folder.

  1. Get an IAM token for API authentication and place it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.List method, e.g., via the following cURL request:

    curl \
  --request GET \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --url 'https://mdb.api.cloud.yandex.net/managed-mongodb/v1/clusters/<cluster_ID>/users'

    You can get the cluster ID from the list of clusters in your folder.

  3. Check the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and place it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the UserService.List method, e.g., via the following gRPCurl request:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/mongodb/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>"
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.mongodb.v1.UserService.List

    You can get the cluster ID from the list of clusters in your folder.

  4. Check the server response to make sure your request was successful.

Creating a user

  1. Open the folder dashboard.

  2. Navigate to the Yandex StoreDoc service.

  3. Click the name of your cluster and open the  Users tab.

  4. Click Create user.

  5. Enter the database user’s name and password.

    Note

    The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.

    The password must be between 8 and 128 characters.

  6. Configure the user’s roles:

    1. Click Add database and select the database for role assignment.
    2. Add roles using the button.

    You can assign a user multiple roles across different databases.

  7. Click Create.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To create a cluster user:

  1. See the description of the CLI command for creating a user:

    yc managed-mongodb user create --help

  2. Specify user properties in the creation command:

    yc managed-mongodb user create <username> \
  --cluster-name <cluster_name> \
  --password <user_password> \
  --permission database=<DB_name>,role=<role>,role=<other_role>,... \
  --permission database=<other_DB_name>,role=<role>,...

    Note

    The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.

    The password must be between 8 and 128 characters.

    You can get the cluster name from the list of clusters in your folder.

  1. Open the current Terraform configuration file describing your infrastructure.

    To learn how to create this file, see Creating a cluster.

  2. Add the yandex_mdb_mongodb_user resource:

    resource "yandex_mdb_mongodb_user" "<username>" {
  cluster_id = <cluster_ID>
  name       = "<username>"
  password   = "<password>"
  permission {
    database_name = "<DB_name>"
    roles         = [ "<list_of_user_roles>" ]
  }
}

    Where database_name is the name of the target database for user access.

    Note

    The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.

    The password must be between 8 and 128 characters.

  3. Validate your configuration.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm resource changes.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider guide.

  1. Get an IAM token for API authentication and place it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.Create method, e.g., via the following cURL request:

    curl \
  --request POST \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --header "Content-Type: application/json" \
  --url 'https://mdb.api.cloud.yandex.net/managed-mongodb/v1/clusters/<cluster_ID>/users' \
  --data '{
            "userSpec": {
              "name": "<username>",
              "password": "<user_password>",
              "permissions": [
                {
                  "databaseName": "<DB_name>",
                  "roles": [
                   "<role_1>", "<role_2>", ..., "<role_N>"
                  ]
                }
              ]
            }
          }'

    Where userSpec are the new database user’s settings:

    • name: Username.

    • password: Password.

      Note

      The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.

      The password must be between 8 and 128 characters.

    • permissions: User permissions:

      • databaseName: Name of the database the user can access.
      • roles: User roles as an array of strings, one per role. Possible values are listed in Users and roles.

      In the permissions array, add a separate element with permission settings for each database.

    You can get the cluster ID from the list of clusters in your folder.

  3. Check the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and place it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the UserService.Create method, e.g., via the following gRPCurl request:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/mongodb/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_spec": {
          "name": "<username>",
          "password": "<user_password>",
          "permissions": [
            {
              "database_name": "<DB_name>",
              "roles": [
                 "<role_1>", "<role_2>", ..., "<role_N>"
              ]   
            }
          ]
        }
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.mongodb.v1.UserService.Create

    Where user_spec are the settings for the new database user:

    • name: Username.

    • password: Password.

      Note

      The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.

      The password must be between 8 and 128 characters.

    • permissions: User permissions:

      • database_name: Name of the database the user can access.
      • roles: User roles as an array of strings, one per role. Possible values are listed in Users and roles.

      In the permissions array, add a separate element with permission settings for each database.

    You can get the cluster ID from the list of clusters in your folder.

  4. Check the server response to make sure your request was successful.

Updating user settings

  1. Open the folder dashboard.

  2. Navigate to the Yandex StoreDoc service.

  3. Click the name of your cluster and open the  Users tab.

  4. To change a user’s password, locate the user in the list, click in their row, and select Change password.

    Note

    The password must be from 8 to 128 characters long.

  5. To change the user's roles:

    1. Locate the user you need in the list, click in their row, and select Configure.
    2. To add a role, click next to the target database and select the role you want to assign.
    3. To delete a role, click next to its name.

  6. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To change a user's password or role assignments:

  1. See the description of the CLI command for updating a user:

    yc managed-mongodb user update --help

  2. Specify user properties in the user update command:

    yc managed-mongodb user update <username> \
  --cluster-name <cluster_name> \
  --password <user_password> \
  --permission database=<DB_name>,role=<role>,role=<other_role>,... \
  --permission database=<other_DB_name>,role=<role>,...

    Note

    The password must be from 8 to 128 characters long.

To grant a user access to a database with a specific set of roles:

  1. See the description of the CLI command for granting user permissions:

    yc managed-mongodb user grant-permission --help

  2. Specify user properties in the user grant permission command:

    yc managed-mongodb user grant-permission <username> \
  --cluster-name <cluster_name> \
  --database <DB_name> \
  --role <list_of_roles_separated_by_commas>

To revoke database access from a user:

  1. See the description of the CLI command for revoking user permissions:

    yc managed-mongodb user revoke-permission --help

  2. Specify user properties in the user revoke permission command:

    yc managed-mongodb user revoke-permission <username> \
  --cluster-name <cluster_name> \
  --database <DB_name>

    This command revokes the user’s access to the specified database.

You can get the cluster’s name from the list of clusters in your folder, the database name from the list of your cluster databases, and the user's name from the list of cluster users.

  1. Open the current Terraform configuration file describing your infrastructure.

    To learn how to create this file, see Creating a cluster.

  2. Locate the yandex_mdb_mongodb_user resource.

  3. Update the password and permission settings:

    resource "yandex_mdb_mongodb_user" "<username>" {
  cluster_id = <cluster_ID>
  name       = "<username>"
  password   = "<new_password>"
  permission {
    database_name = "<DB_name>"
    roles         = [ "<new_list_of_user_roles>" ]
  }
}

    Note

    The password must be from 8 to 128 characters long.

  4. Validate your configuration.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  5. Confirm resource changes.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider guide.

  1. Get an IAM token for API authentication and place it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.Update method, e.g., via the following cURL request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.

    curl \
  --request PATCH \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --header "Content-Type: application/json" \
  --url 'https://mdb.api.cloud.yandex.net/managed-mongodb/v1/clusters/<cluster_ID>/users/<username>' \
  --data '{
           "updateMask": "password,permissions.databaseName,permissions.roles",
           "password": "<user_password>",
           "permissions": [
             {
               "databaseName": "<DB_name>",
               "roles": [
                 "<role_1>", "<role_2>", ..., "<role_N>"
               ]
             }
           ]
         }'

    Where:

    • updateMask: Comma-separated list of settings you want to update.

    • password: Password.

      Note

      The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.

      The password must be between 8 and 128 characters.

    • permissions: User permission settings:

      • database_name: Name of the database to which the user will have access.
      • roles: Array of user roles. Each role is provided as a separate string in the array. For the list of possible values, see Users and roles.

    You can get the cluster ID from the folder’s cluster list, and the username from the list of cluster users.

  3. Check the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and place it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the UserService.Update method, e.g., via the following gRPCurl request:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the update_mask parameter as an array of paths[] strings.

    Format for listing settings
    "update_mask": {
    "paths": [
        "<setting_1>",
        "<setting_2>",
        ...
        "<setting_N>"
    ]
}

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/mongodb/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_name": "<username>",
        "update_mask": {
          "paths": [
            "password",
            "permissions.database_name",
            "permissions.roles"
          ]
        },
        "password": "<user_password>",
        "permissions": [
          {
            "database_name": "<DB_name>",
            "roles": [
              "<role_1>", "<role_2>", ..., "<role_N>"
            ]
          }
        ]
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.mongodb.v1.UserService.Update

    Where:

    • update_mask: Comma-separated list of settings you want to update.

    • password: Password.

      Note

      The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.

      The password must be between 8 and 128 characters.

    • permissions: User permissions:

      • database_name: Name of the database the user can access.
      • roles: User roles as an array of strings, one per role. Possible values are listed in Users and roles.

    You can get the cluster ID from the list of clusters in your folder, and the username from the list of cluster users.

  4. Check the server response to make sure your request was successful.

Deleting a user

  1. Open the folder dashboard.
  2. Navigate to the Yandex StoreDoc service.
  3. Click the name of your cluster and open the  Users tab.
  4. Locate the user you need in the list, click in their row, and select Delete.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To delete a user, run this command:

yc managed-mongodb user delete <username> \
  --cluster-name <cluster_name>

You can get the cluster name from the list of clusters in your folder.

  1. Open the current Terraform configuration file describing your infrastructure.

    To learn how to create this file, see Creating a cluster.

  2. Delete the yandex_mdb_mongodb_user resource with the target user’s description.

  3. Validate your configuration.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm resource changes.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider guide.

  1. Get an IAM token for API authentication and place it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the User.Delete method, e.g., via the following cURL request:

    curl \
  --request DELETE \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --url 'https://mdb.api.cloud.yandex.net/managed-mongodb/v1/clusters/<cluster_ID>/users/<username>'

    You can get the cluster ID from the list of clusters in your folder, and the username from the list of cluster users.

  3. Check the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and place it in an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the UserService.Delete method, e.g., via the following gRPCurl request:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/mongodb/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_name": "<username>"
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.mongodb.v1.UserService.Delete

    You can get the cluster ID from the list of clusters in your folder, and the username from the list of cluster users.

  4. Check the server response to make sure your request was successful.

Examples

Add a user with read-only permissions

To add a new user2 account with read-only access for the db1 database to an existing cluster:

  1. Go to the folder page.
  2. Go to Yandex StoreDoc.
  3. Click the name of your cluster and open the  Users tab.
  4. Click Create user.
  5. Enter user2 for username and enter a password (from 8 to 128 characters).
  6. Select the db1 database from the Add database drop-down list.
  7. Select the read role from the drop-down list next to the db1 database.
  8. Click Create.

Run this command:

yc managed-mongodb user create user2 \
  --cluster-name <cluster_name> \
  --password <user_password> \
  --permission database=db1,role=read

  1. Open the current Terraform configuration file describing your infrastructure.

    Learn how to create this file in Creating a cluster.

  2. Add the yandex_mdb_mongodb_user resource:

    resource "yandex_mdb_mongodb_user" "user2" {
  cluster_id = <cluster_ID>
  name       = "user2"
  password   = "<password>"
  permission {
    database_name = "db1"
    roles         = [ "read" ]
  }
}

  3. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider guide.

Modify user permissions

To grant read-only access to the db2 database to an existing cluster1 user named user1:

  1. Go to the folder page.
  2. Go to Yandex StoreDoc.
  3. Click cluster1 and select the Users tab.
  4. Click in the row with user1 and select Configure.
  5. Click Add database and select db2 as your database.
  6. Click and select the read role from the drop-down list next to the db2 database.
  7. Click Save.

Run this command:

yc managed-mongodb user grant-permission user1 \
  --cluster-name cluster1 \
  --database db2 \
  --role read

  1. Open the current Terraform configuration file describing your infrastructure.

    Learn how to create this file in Creating a cluster.

  2. Find the yandex_mdb_mongodb_user resource.

  3. Add the permission section:

    resource "yandex_mdb_mongodb_user" "user1" {
  cluster_id = <cluster_ID>
  name       = "user1"
  password   = "<password>"
  permission {
    database_name = "db2"
    roles         = [ "read" ]
  }
}

  4. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  5. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider guide.

Previous
Managing databases
Next
Managing shards